IIRC the problem was the underlying samba-tool: it does not provide an option to change the corresponding LDAP attribute, after user creation.
IMO that checkbox should be removed from that page, because “User U has a shell access to Machine M” depends on both U and M. As we support remote account providers we should also implement a method (GPOs?) to deploy permissions on individual machines, to enforce rules like:
- User1 can ssh to Machine1 (file server)
- User1 can’t ssh to Machine2 (firewall)
- …